On June 28, 2016, the SEC proposed a new rule that would require investment advisers to adopt and implement written business continuity and transition plans. Currently, the SEC staff only expects advisers to address business continuity in their written policies and procedures to the extent relevant (see Advisers Act Release No. 2204). The proposed rule, if adopted, would create a standalone requirement for such plans.
In the event of technological failures, cyber-attacks, natural disasters, and the absence of key individuals or a substantial number of employees, “advanced planning and preparation can help mitigate the effects of such disruption, and in some cases, minimize the likelihood of their occurrence, which is an objective of [the proposed] rule,” said SEC Chair Mary Jo White.
The proposed rule would permit investment advisers to tailor their business continuity and transition plans based on the specific complexity and risks associated with the firm’s business. However, the proposed rule specifies the following components that investment advisers must address:
- Maintenance of systems and protection of data;
- Pre-arranged alternative physical locations;
- Communications plans between the firm, its employees, regulators, and its customers;
- Vendor due diligence and review of third-party service providers; and
- Plans of transitions in the event of firm closings, personnel departures, and other hindering events.
Additionally, the proposed rule would require investment advisers to review the adequacy and effectiveness of their business continuity and transition plans “at least annually” and retain appropriate records associated with the review.
In conjunction with the proposed rule, the SEC’s Division of Investment Management on June 28 also issued Guidance Update No. 2016-04 – Business Continuity Planning for Registered Investment Companies. The Guidance Update, among other things, stresses the importance of monitoring critical service providers and how a significant disruption in a service provider’s business could impact the fund.
How ACA Can Help
ACA frequently identifies issues with firms' business continuity plans, including incomplete or infrequent testing, and inadequate or no oversight of third parties’ business continuity and disaster recovery plans. ACA Aponix, ACA's cybersecurity and risk division, provides several services that support an adviser’s compliance with Rule 206(4)-7 and, to some extent, Rule 204-2. Some relevant compliance support services include:
- Technology Risk Assessment– ACA Aponix performs a deep-dive into a firm’s infrastructure and network, as well as the backup and resiliency of systems both internally and with vendors. This assists with the maintenance of systems and the protection of data required under the proposed rule.
- Vendor Due Diligence– ACA Aponix conducts tailored diligence on third-party service providers that maintain key data on a firm’s behalf, including a review of the vendor’s backups and recoverability.
Documentation– ACA Aponix provides customized information security and incident response documentation, and can assist in refining or drafting disaster recovery and business continuity plans.